Hackers penetrated LAUSD computers much earlier than previously known, district probe finds

/in


Los Angeles, CA - September 06: Superintendent of Los Angeles Unified School District Alberto M. Carvalho speaks during a press conference at Edward R. Roybal Learning Center on Tuesday, Sept. 6, 2022, in Los Angeles, CA. There's been a major cyberattack on the Los Angeles Unified School District. Major problems over the weekend. (Francine Orr / Los Angeles Times)

Supt. Alberto M. Carvalho speaks at a September news conference about a major cyberattack on the Los Angeles Unified School District. (Francine Orr/Los Angeles Times)

An intrusion into the computer systems of the Los Angeles school district began more than a month earlier than previously disclosed and likely exposed confidential information, including Social Security numbers, of more than 500 people who worked for district contractors, according to information filed with the state.

As the district previously disclosed, the security breach does not appear to extend to the payroll records and Social Security numbers for the tens of thousands of district employees. An undisclosed number of students enrolled at some point from 2013 through 2016 and some employees during that period appear to have lost information that includes their date of birth and address. California school districts don’t collect student Social Security numbers.

The updated information comes by way of a “Notice of Data Breach” that the nation’s second-largest school system was required under state law to send to potential victims.

School district officials Friday did not provide information on the number of possible victims. In addition to having to notify victims, a notice letter must be filed with the state attorney general when the number of those affected surpasses 500 California residents, the mandated threshold for public notification.

District officials had previously stated that there would be a small but not-yet-determined number of victims — “outliers,” as Supt. Alberto Carvalho described them. The victims would be notified and assisted, he added, while emphasizing that the overriding narrative was one of a worse disaster averted.

Hackers made off with about 500 gigabytes of data — a figure agreed on by both the hackers and the school system. That’s a large haul compared with what an individual user would maintain, but a tiny fraction of the data under the control of L.A. Unified.

Stealing data is only one part of an attack. The second part involves encrypting computer systems so that its users cannot get in, paralyzing the ability to conduct everyday business. Hackers managed to encrypt servers in the…

Source…